Thank you.
It's not my fear. We have taken on a subcontract to provide Help Desk
support for another organization that is supplying these laptops. We
were told the laptops would have "full disk encryption", so that's I
what I expected to find when I received them. I did not find what I expected.
When I think "full disk encryption", I think that means that when the
user turns the machine on, s/he has to enter some credentials before
s/he even sees the OS login screen. In other words, the entire disk
outside of the master boot record must be manually unlocked before
any use can be made of it, no matter where that disk is or who is
trying to use it. Having successfully done that, I then expect the
user to have to enter another set of credentials at the OS login
screen before s/he can use the machine.
(Two factor authentication would not work in legitimate situations
where there is no internet or phone service, a very common situation
in my rural part of the country.)
That is what you get if you set up "full disk encryption" using
VeraCrypt on a Windows 7 machine. We don't do this very often. I
prefer simply to create a separate data partition and encrypt that so
the user doesn't need two sets of credentials if s/he isn't going to
do anything but, say, run a web browser to access encrypted websites.
We don't use BitLocker for this because our laptops are Win7 Pro, not
Ultimate. You have to have Ultimate to set up Bitlocker encryption in
Win 7 (you only need Pro to read a Bitlocker-encrypted device, like a
USB memory stick).
So apparently there are two completely different definitions of "full
disk encryption" out there in the wild. Both will protect you if
somebody steals the device and pulls the HDD out of it. (However, I
also thought that ordinary Windows encryption, present in XP and
perhaps earlier, would do that.) One of them will protect you if
somebody steals the device and one set of credentials; they other one won't.
I will point out that I'm not the only person who saw it this way;
both of my assistants, who are experienced computer guys and not
relying on me, had the same definition of "full disk encryption" in
their heads.
Since the organization that is paying us has the responsibility for
complying with federal NIST security standards, and not me, I will
shrug this off even though I don't believe that what you have
described--and what the organization has done--actually complies with
the standard in question.
Anyway, thanks for your help.
Ken
BitLocker will only prompt for a recovery key if it detects the device that
the hard drive is in has changed. It's inconspicuous in day-to-day use (and
it has nothing to do with being connected to the Internet or in Modern
Standby mode).
The purpose is to protect the data when the drive is removed and put into
another machine to be read. If someone steals your entire machine and knows
the local login credentials, well you're on your own. If that's your fear
maybe enable two-factor authentication (e.g. Windows Hello and a PIN).
Eric
On Wed, Jun 27, 2018 at 11:53 AM, Ken Dibble <[email protected]> wrote:
> Perhaps someone here can answer this question.
>
> I have a Windows 10 Pro laptop. It is part of an Azure AD domain, in which
> InTune is being used for a variety of management functions. It is supposed
> to have Bitlocker full disk encryption enabled, and the Bitlocker key is
> stored in InTune.
>
> I do not connect any cables to this laptop. I simply turn it on. I do not
> manually connect it to any wireless internet source. The machine displays a
> standard Windows 10 login screen. Having local admin credentials, I log in
> and get full access to the machine.
>
> What is wrong with this picture?
>
> As I understand Win 10 Bitlocker disk encryption, I don't need to supply
> pre-boot credentials if the computer can see the internet, or if the
> machine has "Modern Standby" enabled. I understand the latter to mean that
> the laptop has never been fully turned off since somebody unlocked the
> encryption.
>
> If I am correct, since I did not connect the laptop to any internet
> source, yet I still am able to get into the machine using only the local
> admin credentials, if Bitlocker full-disk encryption is actually
> implemented, then the machine must be in "Modern Standby".
>
> I don't use Windows 10 but to me this situation is analogous to having set
> up full disk encryption on a Win 7 box, submitted a PIN to get to the login
> screen, and then closed the lid to force hibernation mode. If I open the
> lid I don't need to put in the pre-boot PIN again but I have to log into
> Windows.
>
> As I see it, if somebody steals this laptop as well as the local admin
> credentials, the alleged Bitlocker "full disk encryption" will do
> absolutely nothing to prevent the thief from gaining full control of the
> machine.
>
> Is this correct, or am I, as is often the case, missing some crucial piece
> of information.
>
> Thanks for any help.
>
> Ken Dibble
> www.stic-cil.org
>
>
>
[excessive quoting removed by server]
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
